Skip to content

fix(mcp): use oauth for claude code config#1118

Merged
runeb merged 2 commits into
mainfrom
fix/mcp-claude-code-oauth-only
May 29, 2026
Merged

fix(mcp): use oauth for claude code config#1118
runeb merged 2 commits into
mainfrom
fix/mcp-claude-code-oauth-only

Conversation

@runeb
Copy link
Copy Markdown
Member

@runeb runeb commented May 20, 2026
edited by cursor Bot
Loading

Description

Marks Claude Code as an OAuth-only MCP client (oauthOnly: true), so sanity mcp configure no longer embeds a Bearer token in the generated Claude Code config.

What to review

One-line change in editorConfigs.ts and minimal test adjustments to match.

Testing

Existing tests updated to reflect the new OAuth-only behavior for Claude Code.

Note

Low Risk
Low risk: a small change that stops embedding Bearer tokens in the generated Claude Code MCP config, with test updates to validate the new OAuth-only behavior.

Overview
Claude Code MCP configuration is now OAuth-only. sanity mcp configure marks Claude Code as oauthOnly, so generated configs no longer include an Authorization: Bearer ... header.

Tests were updated to reflect the new behavior (Claude Code now treated like Cursor for no-token configs), and configure-flow tests were adjusted to use another CLI editor where a token is still required.

Reviewed by Cursor Bugbot for commit 3ee742c. Bugbot is set up for automated code reviews on this repo. Configure here.

@runeb runeb requested a review from a team as a code owner May 20, 2026 23:34
@claude
Copy link
Copy Markdown

claude Bot commented May 20, 2026
edited
Loading

Claude finished @runeb's task in 2m 20s —— View job

Review

  • Read changed files (editorConfigs.ts, both test files, changeset)
  • Verify changeset (present, patch bump, copy is concise/developer-facing)
  • Check test coverage for OAuth-only behavior

No blocking issues found. The change is minimal and correctly scoped:

  • editorConfigs.ts:301 — adding oauthOnly: true is consistent with how Cursor is configured (line 327) and is correctly consumed by writeMCPConfig.ts:24, detectAvailableEditors.ts:88, and setupMCP.ts:128, so no other call sites need updating.
  • editorConfigs.test.ts — the Claude Code config uses OAuth (no Authorization header) test mirrors the existing Cursor assertion. The editors except Cursor and Claude Code list at line 84 is correctly pruned.
  • configure.test.ts:248oauthOnly: true is added to the Claude Code table-driven case, which runEditorTest already branches on (lines 146, 166), so the token-creation API mocks and expect.not.stringContaining(token) assertion are now wired up correctly.
  • Switching the four scenario tests (auto-selects all editors, both error-handling tests, merges with existing config file) to OpenCode is necessary because those tests assert that a token gets generated and written into the config — behavior Claude Code no longer exhibits. OpenCode is a reasonable substitute (still token-embedding, still CLI-detected). The mcp vs mcpServers key swap in the merge test is correct for OpenCode (see editorConfigs.ts:347).
  • Changeset is present, patch bump is appropriate (behavior change, no API break), and the summary is concise and developer-facing.

Minor / non-blocking observations

  1. Changeset wording is slightly under-explanatory. "sanity mcp configure now uses OAuth for Claude Code." is accurate but doesn't surface the user-visible effect (no API token embedded in ~/.claude.json). Consider something like:

    sanity mcp configure no longer embeds an API token in Claude Code's MCP config; it uses OAuth instead.
    This is closer to how the Cursor equivalent would read and makes the security/behavior change explicit in release notes.

  2. Comment at editorConfigs.ts:36 still reads "Builds the server config with API token. If oauthOnly is true, the token is not used" — accurate, but worth noting that the EditorConfig interface still types buildServerConfig as (token: string) => ... (required). The two OAuth-only tests now call buildServerConfig() with no arg, which only works because defaultHttpConfig happens to declare token?: string and satisfies preserves the literal signature. Not a bug, but if someone later tightens the interface or changes the underlying signature, those test calls would break. Not worth changing in this PR.
    · Branch

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 20, 2026
edited
Loading

📦 Bundle Stats — @sanity/cli

Compared against main (c342934b)

@sanity/cli

Metric Value vs main (c342934)
Internal (raw) 2.1 KB -
Internal (gzip) 799 B -
Bundled (raw) 10.97 MB -
Bundled (gzip) 2.06 MB -
Import time 832ms -5ms, -0.6%

bin:sanity

Metric Value vs main (c342934)
Internal (raw) 1023 B -
Internal (gzip) 486 B -
Bundled (raw) 9.84 MB -
Bundled (gzip) 1.77 MB -
Import time 1.94s -22ms, -1.1%

🗺️ View treemap · Artifacts

Details
  • Import time regressions over 10% are flagged with ⚠️
  • Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

📦 Bundle Stats — @sanity/cli-core

Compared against main (c342934b)

Metric Value vs main (c342934)
Internal (raw) 97.0 KB +842 B, +0.9%
Internal (gzip) 22.7 KB +208 B, +0.9%
Bundled (raw) 21.61 MB +768 B, +0.0%
Bundled (gzip) 3.42 MB +200 B, +0.0%
Import time 788ms -1ms, -0.1%

🗺️ View treemap · Artifacts

Details
  • Import time regressions over 10% are flagged with ⚠️
  • Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

📦 Bundle Stats — create-sanity

Compared against main (c342934b)

Metric Value vs main (c342934)
Internal (raw) 908 B -
Internal (gzip) 483 B -
Bundled (raw) 931 B -
Bundled (gzip) 491 B -
Import time ❌ ChildProcess denied: node -
Details
  • Import time regressions over 10% are flagged with ⚠️
  • Sizes shown as raw / gzip 🗜️. Internal bytes = own code only. Total bytes = with all dependencies. Import time = Node.js cold-start median.

@runeb runeb force-pushed the fix/mcp-claude-code-oauth-only branch 2 times, most recently from f5b1a42 to 6d01d22 Compare May 20, 2026 23:55
@runeb runeb force-pushed the fix/mcp-claude-code-oauth-only branch from 6d01d22 to dd5a47f Compare May 21, 2026 00:25
@runeb
test(mcp): switch claude-code-dependent tests to opencode
3ee742c 
Four tests in configure.test.ts hardcoded 'Claude Code' as the
fixture editor while mocking the token-issuance flow. Now that
Claude Code is oauthOnly, those endpoints are never called and
no token is written, causing pending nock mocks and missing
assertions.

Switch them to OpenCode — the closest non-OAuth analog
(CLI-detected, JSON format).
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 21, 2026

Coverage Delta

File Statements
packages/@sanity/cli/src/actions/mcp/editorConfigs.ts 100.0% (±0%)

Comparing 1 changed file against main @ cd110e7c2b0cdad7438f53d958a0831fea2a3773

Overall Coverage

Metric Coverage
Statements 84.3% (±0%)
Branches 74.3% (±0%)
Functions 84.2% (±0%)
Lines 84.8% (±0%)

jwoods02
jwoods02 approved these changes May 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jwoods02 jwoods02 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally on claude code, looks good ✅

@runeb runeb merged commit 7d2118d into main May 29, 2026
55 checks passed
@runeb runeb deleted the fix/mcp-claude-code-oauth-only branch May 29, 2026 14:57
@squiggler-app squiggler-app Bot mentioned this pull request May 29, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jwoods02 jwoods02 jwoods02 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@runeb @jwoods02